IRS data protections found lacking

The IRS has failed to implement key components of its information security program, potentially putting at risk sensitive agency and taxpayer data, according to the federal government’s top watchdog.

A report from the Government Accountability Office released Friday concludes that IRS computer systems used to process financial and taxpayer data are subject to “control weaknesses” that could “jeopardize the confidentiality, integrity and availability of the financial and sensitive taxpayer information processed by IRS’s systems.”

Story Continued Below

Specifically, the GAO noted that the IRS has not consistently put security controls in place to monitor actions on its computer systems, identify and authenticate users and ensure that sensitive data is encrypted while in transit. The report also said that outdated and unsupported software continues to expose the IRS to “known vulnerabilities and shortcomings in performing system backup place the availability of data at risk.”

“Considered collectively, these deficiencies … along with a lack of fully effective compensating and mitigating controls, impair IRS's ability to ensure that its financial and taxpayer information is secure from internal threats,” the report said.

The IRS uses computerized systems to support the processing, storage and transmission of critical financial and taxpayer information. To manage that information, the IRS maintains enterprise data centers in Michigan, West Virginia and Tennessee.

Federal watchdogs conducted audits at all three locations. They also reviewed key IRS security policies and interviewed agency officials during fiscal years 2011 and 2010.

The GAO noted that the IRS has established a framework for a comprehensive information security program, and has even made strides in addressing security deficiencies. That includes the creation of working groups to “identify and remediate specific at-risk control areas.” However, the report notes that the IRS has still hasn’t fully implemented the program.

The GAO recommended that the IRS take six specific actions to help put the security program in place, including improvements to the agency’s continuous monitoring process. The GAO also said it is recommending an additional 23 steps in a separate report to” correct newly identified control weaknesses.”

The IRS, in a response to the GAO report, agreed to develop a detailed corrective action plan to address each recommendation.

This article first appeared on POLITICO Pro at 6:29 p.m. on March 16, 2012.